DaZZee I.T. Services – Springfield, Joplin, and Harrison Managed Services Providerhttps://dazzee.com We Eliminate Your I.T. HeadachesThu, 16 Apr 2020 20:35:12 +0000en-US hourly 1 https://wordpress.org/?v=5.4.1111982414Using ZOOM? – Make Sure To Secure It!https://dazzee.com/using-zoom-make-sure-to-secure-it/?utm_source=rss&utm_medium=rss&utm_campaign=using-zoom-make-sure-to-secure-it Tue, 14 Apr 2020 18:57:41 +0000https://dazzee.com/?p=1471Chances Are – You Have Been On A Zoom Conference In The Last Few Weeks – But Is It Secure? The short answer to this is – maybe 🙂 . If you have paid attention to the news (and who hasn’t in the last few weeks) you are probably aware of some significant security concerns […]

Chances Are – You Have Been On A Zoom Conference

In The Last Few Weeks – But Is It Secure?

The short answer to this is – maybe 🙂 . If you have paid attention to the news (and who hasn’t in the last few weeks) you are probably aware of some significant security concerns with Zoom conferencing software and related services. However the question many people have is – how concerned should I be and how do I secure it?

Summary of the Risks

In a nutshell here are the main risks that have been brought up ;

Zoombombing – a scenario where unwanted attendees are able to intrude upon a meeting and introduce unwanted audio, comments, or pictures effectively disrupting the meeting.

Potential for your Windows credentials to be leaked through a Zoom conference

How can you address these risks?

In order of the risks listed;

– Zoombombing – this was exploited by either not having a password for the meeting set or sharing the password publicly. Zoom has since made it the default for all meetings to have a password assigned. Unless you remove the password manually in the meeting setup, you should be OK.

The second part of this is if you share your meeting publicly, anyone will automatically have the password. We get it… sometimes you want to host a public meeting that anyone can join. For those instances Zoom has the ability to require registration to attend the meeting. This means that all users must give you their information to attend.

In addition to this you can enable the “Waiting Room” feature that puts all attendees in a virtual waiting room that requires you to manually admit them to the conference. While there is still the potential for a malicious attendee to register and join the meeting through the waiting room – it removes the conference as “low hanging fruit” for those wanting to disrupt.

– Potential for Windows credentials to be leaked – This vulnerability stems from a malicious attendee enticing others to click on a link in the chat window of a Zoom conference. The simplest way to address this is make sure(just as you would with email, online platforms, texts etc.) that you don’t click on links that are unexpected or from users you don’t know. There are some backend fixes that your I.T. department can deploy but seriously – don’t click on things that you don’t know what they are 🙂

– No end to end encryption of calls. Unfortunately at this point that is still a limitation of the Zoom platform. What this means is that there is the POTENTIAL for your call to be intercepted at the Zoom hub – but not by any other point in between. While the chances of that are very limited, the possibility does exist and given the discovery that some calls were recently routed through China, it is cause for concern for any complex security requirement or organizations with sensitive information on the calls.

– Unintended/unwanted software installed with Zoom. Again this goes back to the platform itself and a function of the actual installer. Zoom, for the most part, since there has been a heightened awareness of security concerns, is addressing those concerns daily and has committed to making security one of its priorities for the next few months.

Other Recommendations to Help Secure Meetings

These are normal security recommendations but have become more and more important as it relates to securing whatever video conferencing solution you are using;

Don’t ever, ever, EVER reuse passwords between sites/services. Statistics show that over 70% of users use the same password on multiple sites and services!! Seriously…PLEASE stop doing that! Make it a priority today to change those passwords!

What are the other options for video conferencing?

While with any software solution that has explosive growth like Zoom has had over the last 30 days – there are bound to be security issues raised with the increased usage and focus. Nothing is 100% secure nor will it ever be.

But each organization must make the decision to weigh the risks associated with tools and platforms they will use. Fortunately there are several very robust video conferencing solutions available;

The Good News

The good news is that while there may be some security concerns around any software, the ease of use and availability of video conferencing has enabled millions of users to work from anywhere and most importantly, enabled many of us to work from home safely. So hats off to all video conference providers for keeping our businesses and organizations running and working from anywhere! With some good security practices and attention to detail – you CAN work remotely and get through these unprecedented times!

As always, if you have questions or concerns, DaZZee is here for you. :

]]>14718 Easy Tips to Shop Safe Online this Holiday Seasonhttps://dazzee.com/8-easy-tips-to-shop-safe-online-this-holiday-season/?utm_source=rss&utm_medium=rss&utm_campaign=8-easy-tips-to-shop-safe-online-this-holiday-season Mon, 02 Dec 2019 18:01:14 +0000https://dazzee.com/?p=1401 Tis the season for lots of merriment, and lots of shopping. Latest numbers by the “experts” guess that American’s will spend $200 billion (yes, with a “b”) this year. Over $149 billion of that will be online. Sounds like a lot, right? The crooks think so, too. Remember, there are lots of Grinches out […]

]]> Tis the season for lots of merriment, and lots of shopping. Latest numbers by the “experts” guess that American’s will spend $200 billion (yes, with a “b”) this year. Over $149 billion of that will be online. Sounds like a lot, right? The crooks think so, too. Remember, there are lots of Grinches out there trying to steal our holiday joy. The Christmas season is also the prime season for identity theft and hackers to get access to your finances. Just like we learned to lock our car doors, hide purchases in the trunk and protect our wallets, there’s precautions you should take before hopping on the internet to find that perfect gift.

Don’t use free Wi-Fi to do your shopping. EVER. Although sipping a peppermint mocha while checking off that perfect gift sounds dreamy, k You could be risking your sensitive information to unintended recipients without even know it. It is very easy to fake a free wifi network and capture every item you send or receive, and you probably would never even realize it. Think of it this way…would you leave a $100 bill on the table while you go to the bathroom? Using free Wi-Fi to make purchases makes as much sense.

Set up a PayPal, Venmo, Apple or Google pay account. That way, your credit card information is secure in one “vault”, instead of spreading it out over several sites. Plus there’s the perk of not having to enter your billing address and shipping address every time, which I love.

Don’t save your credit card information on retail websites. EVER. Yeah, they say they’re secure and that it’s safe, but the issue isn’t necessarily that they are not secure… but if your web browser is compromised or someone gets access to it, all of your information is offered up with no extra hassle.

If you find something you want from a site that only takes credit cards, run to Walgreens or Target or heck, anywhere, and buy a Visa gift card to use. They are available everywhere and then if you do get hacked, there’s a limited amount they can get and you don’t have to shut down all your accounts.

Use a password manager. Every retail website wants you to set up a user name and password, and it IS nice to be able to go back a track your order anytime, but don’t fall into the convenient trap of using the same password on every site (I was guilty of that for years). A password manager like One Password assigns secure, individual, crazy complex passwords for every site you use, including your bank account.

No retail shop will ask for your social security number. EVER. Do not ever, ever, EVER give it out. No matter how great that gift looks or how lovely Aunt Betty will look in it, click away from that site. Fast.

All banks offer online accounts now. Set it up where you get a text every time something comes out of your account. That way, if the worst does happen, you know instantly and can contact your bank. If you were walking in the mall and someone stole your wallet, you wouldn’t want to wait till the end of the month to know about it. Be aware of what’s going on.

Pay attention to the URL of the site you’re shopping at. Make sure it’s where you meant to be, and make sure you see the little lock to the left of the web address. This shows you that the site is secure. You can also click on the address and make sure it starts with “https”, the “s” at the end tells you its secure. “Http” is non-secure and a no thank you ma’am when entering personal information.

The perks of online shopping are numerous…you have the entire world at your fingertips…sizes, colors, options not to mention not having to stampede or get your toes stepped on. With just a few precautions you can wrap up your holiday shopping without having to leave your Christmas tree or your jammie’s.

]]>1401Security Operations Center (SOC) and Security Information and Event Managment (SIEM) – Be careful of the buzzwordshttps://dazzee.com/security-operations-center-soc-and-security-information-and-event-managment-siem-be-careful-of-the-buzzwords/?utm_source=rss&utm_medium=rss&utm_campaign=security-operations-center-soc-and-security-information-and-event-managment-siem-be-careful-of-the-buzzwords Thu, 07 Nov 2019 01:39:50 +0000https://dazzee.com/?p=1352SOC and SIEM… the Latest Buzzwords About 8 years ago when Managed I.T. Services was starting to gain a foothold in the small and medium sized business space, the term “Proactive” was coined as the hot buzzword. Outsourced I.T. services were transitioning from a fully reactionary model in which businesses paid based upon block hours […]

SOC and SIEM… the Latest Buzzwords

About 8 years ago when Managed I.T. Services was starting to gain a foothold in the small and medium sized business space, the term “Proactive” was coined as the hot buzzword. Outsourced I.T. services were transitioning from a fully reactionary model in which businesses paid based upon block hours or a “time and materials” based approach over to a flat fee approach in which service providers were trying to figure out how much time to include and what services all at a predictable costs each month. Fast forward to 2019, and the term “proactive” has lost all meaning and quite frankly – it makes me cringe every time I hear how some organizations are using it, claiming that their version of “proactive” is still an automatic alarm that their monitoring software alerts them to AFTER an issue has already occurred. There’s nothing proactive at all about most service provider’s approaches like this, it’s simply an automated reactive support model.

As we wind down 2019, there are some new buzzwords that are starting to take the place of “proactive”, which is a welcome relief but is still wrought with similar misconceptions, flawed approach, and quite simply – huge potential for businesses to be led further down a rabbit hole of thinking they are better protected than they really are. Enter the buzzwords – Security Operations Center or “SOC” as it is commonly referred to and Security Information and Event Management or SIEM. Both buzzwords are starting to be leveraged in the sales conversation and used in marketing initiatives where wildly colored dress “socks” are being given away as a quirky way to do something different than talk about “Proactive”.

What Does SOC and SIEM Even Mean?

Before we get too deep into the dangers of blindly accepting these buzzwords, let’s first take a step back and define what they even mean. A Security Operations Center or SOC, is simply a practice of having dedicated security engineers actively watching over clients’ networks on a consistent basis. Normally this is provided on a 24/7/365 basis since the bad guys who are trying to do bad things are not considerate enough to at least launch their attacks during normal business hours. So in essence the big differentiator in terms of what a SOC provides is dedicated security engineers watching over your stuff on a dedicated consistent basis.

Now let’s add in a Security Information and Event Management(SIEM) component. All this really means is that while you have people watching over your stuff on an ongoing consistent basis, you add in the benefit of having a security event log repository that these security engineers can analyze in real-time or from a historical perspective if an issue does arise that requires more advanced diagnostics and detective work.

So What Do We Need To Be Cautious Of?

Neither of these two services are a bad thing! In fact, these are a HUGE step forward in getting business owners and managers aware of the significance and reality of the threats that are hitting their operations on a daily basis. Because security engineers are not cheap, nor are they available in any sense of abundance in any market, many service providers are outsourcing these two services to larger security vendors that can provide a framework for scale that allows for highly specialized engineers to be leveraged for multiple clients and networks. Again there is nothing at all wrong with outsourcing the SOC and SIEM operations to a larger security focused partner since it allows for better skillsets, better tools, and better infrastructure than most small Managed Services Providers or Managed Security Services Providers to provide in-house. In fact DaZZee leverages this model as well and utilizes one of the top security partners and services in the industry to provide our 24/7/365 SOC and SIEM.

So if these services by themselves are not bad, and the idea of outsourcing to a specialized partner is not bad, where is the danger that most businesses need to be worried about with the advent of these new buzzwords? Simply put – these buzzwords cannot be the sole focus of the security discussion and framework. If they are, businesses and organizations are making huge false assumptions about their level of protection and security for their operations. SOCs and SIEMS are nothing more than tools in a tool bag. Organizations must recognize that a hammer can’t build a house on it’s own, it takes an architect, a skilled contractor, and detailed plan to make it happen. Thats where the flaw and mistakes are being made especially in the sales discussion with service providers today just like they were several years ago when the discussion was about being “proactive”.

To help further outline the danger of blindly buying into these buzzwords, think of it this way;

You have an alarm system on your business. Thats a great step – getting something that can generate an alarm if something bad or unexpected happens. So the next step is that you want to hire a monitoring company that can respond to the alarms if something bad happens in the middle of the night and if necessary call the fire or police department on your behalf. That again is great – you need someone looking at those items 24/7.

But… you don’t start there or only implement these(or at least hopefully you don’t). You also make sure you build your office in a great location that has a lower crime rate. You install multiple locks and security points inside the building so that it is much more difficult for someone to get to your valuable items, money or intellectual property. You make sure any cash is stored in a locked safe, and that any cash on premises is kept to a minimal for operations. You do background checks on your employees to make sure you are hiring credible, honest and trustworthy staff. You establish policies for access and who can get to what data or physical items. You install security cameras to deter theft and to provide security footage in the event something happens. You may have a security service on premises after-hours. Simply put, you don’t start with an alarm system and a monitoring company… you start with all the tools and measures needed to physically secure your operation and the alarm system and monitoring company are normally the last steps.

So the real danger when it comes to SOCs and SIEMs in the discussions for cybersecurity and how it can help or impact your operations is, just like the buzzword “Proactive” was thrown out ambivalently without any context, the same thing is happening with SOC and SIEM as industry buzzwords. We are seeing an influx of people trying to get into the managed services and managed security services market due to the perceived simplicity of some of the technology today as well as the lucrative potential for reoccurring revenue. People and organizations that have had really no background or at best limited background in their core business model around network infrastructure and security are now representing themselves as “Security Experts” and Managed Security Services Providers(MSSP)(another buzzword being overused). They are leveraging the buzzwords, outsourcing the monitoring and management services because it is becoming cheaper and easier, but at the core of their operations, they have limited in-house experience to design, operate, and maintain a secure network environment.

What Do We Need To Do To Make Sure We Are Using The Proper Criteria When Choosing an MSSP?

So the questions you need to be asking if you are being presented with a Managed Security Service offering are;

How many years has your organization been in the network security and network design field as a core competency of your business?

What security specific certifications do you in-house techs and engineers hold?

What is your in-house level of experience as it relates to cybersecurity and the mechanism needed to design and secure the infrastructure and processes of our organization

Who would be onsite with us from your team in the event of a cybersecurity incident and what does that response plan look like?

If those questions are not answered with specifics around their internal team and operations and instead deflected to the SOC/SIEM they are using, you need to talk to a different provider. While having a SOC and SIEM to monitor your threats is crucial in today’s threat landscape it is in fact, the last layer in complex multilayered approach to properly securing your operations.

The good news is that businesses are now starting to have the security conversation about their business and operations. Just make sure that you are not putting all of your eggs in a buzzword of the month basket.

Want To See If You Have Your CyberSecurity Risks Covered? Download Our CyberSecurity Checklist To See How You Compare

]]>1352Are You Shopping For Managed Services The Same Way You Shop For Janitorial Services?https://dazzee.com/shopping-for-managed-services/?utm_source=rss&utm_medium=rss&utm_campaign=shopping-for-managed-services Tue, 30 Jul 2019 23:40:31 +0000https://dazzee.com/?p=1293When it comes to selecting a managed services or technology partner – are you shopping for those services the same way you shop for your janitorial services? You know… issuing an RFP or requesting three bids be submitted to you. If this sounds familiar… YOU ARE MISSING THE MOST IMPORTANT AND BUSINESS IMPACTING ASPECTS! First […]

Are You Shopping For Managed Services The Same Way You Shop For Janitorial Services?

When it comes to selecting a managed services or technology partner – are you shopping for those services the same way you shop for your janitorial services? You know… issuing an RFP or requesting three bids be submitted to you. If this sounds familiar… YOU ARE MISSING THE MOST IMPORTANT AND BUSINESS IMPACTING ASPECTS!

First of all, lets get this out there that there is nothing wrong with shopping for janitorial or lawn maintenance services using this methodology. And, those services are critical for a business to operate in an orderly fashion and therefore necessary. But if you are applying the same idea to the people and services that impact every one of your employees, customers, and business operations as a whole, it will come back to bite you!

Why Are Janitorial Services Not The Model To Base An RFP On?

When shopping for janitorial services – you know the exact services you need and scope of what is to be provided. Therefore you outline exactly what is supposed to be done and potential vendors just submit their proposed pricing for those services.

Each vendor that replies to your RFP or submits a quote is basically providing the same thing. Yes they can have staff that is more thorough or friendlier, but for the most part, a mop is a mop and the mower they use to cut the grass really doesn’t matter.

You can tell whether or not they are doing a good job by looking at their results. Either the bathrooms are clean or not, and the sidewalks are clear of grass clippings. There is no ambiguity.

It uses common language – you know and understand the terminology involved. Mowing, mulching, mopping, dusting… these are terms everyone knows and understands

So What Are The Unique Qualities of Managed Services That You Have To Factor In?

For 90 percent of those that are shopping for managed services – you don’t know exactly what needs to be done or what it requires, or how to tell if it even is being done at all. You just know that you want someone to be in charge of taking care of it and you want your staff to be happy with the choice.

EVERY vendor you get a bid from is going to handle it differently. It would be similar to saying – I want a price for a meal but not specifying whether that meal is from Taco Bell or from Ruths Chris. Every MSP provides some of what we call “The Every Body Stuff”… like monitoring, answering help desk requests, and providing software patching. But the differentiators wont be in the “Everybody Stuff”… it is going to be in the things that make each managed services provider different. Like whether or not they specialize in cyber-security or they are more geared towards desktop applications.

You can’t necessarily see the results they are bringing in their services. It’s not that easy to physically see a more secure environment, or physically see networks running more efficiently. There are metrics but unless you know what to look for… you are going to assume everyone is doing the same type of work. Guess what… it is guaranteed they are not.

I.T. and technology uses complex and foreign terminology – sometimes even the managed services provider doesn’t truly understand it either. Thats where having open discussions around what is going to be provided, how it will be provided and why it is important need to happen to fully evaluate the solution.

If you are basing your decision on which solution comes in at the lowest price, it is guaranteed that you are going to miss out on something. Think about it, the salaries of qualified and certified individuals really doesn’t vary that much in a market. They will go where the market pays them the most. If someone agrees to work for 20% less than the market value, there is a reason. Either they don’t know as much as they claim they do, or they don’t have the same qualities in terms of customer service. The next thing to consider is that if there is a significant difference in price, you are not getting the same services. The labor costs, tools cost, and overhead won’t change that much. So that leaves the services they are going to provide you. But most people don’t know enough to be able to recognize something that is not being provided.

SECURITY – this one can’t be stressed enough! With the recent uptick in data breaches and ransomware attacks, if even a small aspect of security is ignored, it can be catastrophic to your organization. This is the one area that you cannot ignore getting very specific processes nailed down and communicated from your I.T. partner.

Bottom Line

In today’s crowded marketplace for technology services, it may appear that all MSP’s are providing the same services. In some cases they will be close but those tend to be the providers on the bottom of the list of services and pricing. Just about anyone can hang a shingle today and profess to be I.T. experts…. even if their main business is insurance, or accounting, or copiers. If you simply issue an RFP or request quotes without additional due diligence to identify what is different about the provider and services, it is guaranteed that you will miss something and/or make the decision on faulty information provided to you.

If You Want The Right Questions To Ask A Prospective Managed Services Provider - Download The Checklist Here

]]>1293Cyber-Security is a SHARED Responsibilityhttps://dazzee.com/cyber-security-is-a-shared-responsibility/?utm_source=rss&utm_medium=rss&utm_campaign=cyber-security-is-a-shared-responsibility Mon, 15 Jul 2019 22:45:52 +0000https://dazzee.com/?p=1237What kind of process do you have around analyzing your risk and liability as it pertains to cyber-security? That’s one of the questions we ask when we are talking with prospective clients who are curious as to how we can help their organization. 9 times out of 10, the answer that we get to this […]

Cyber-Security is a SHARED Responsibility

What kind of process do you have around analyzing your risk and liability as it pertains to cyber-security?

That’s one of the questions we ask when we are talking with prospective clients who are curious as to how we can help their organization.9 times out of 10, the answer that we get to this question is – I am not exactly sure what we do, but the guy that takes care of our technology says we are good and nothing to worry about.However when we push a little further, and ask questions like –

How often do you audit and verify your security

You can see some doubt starting to show in their eyes.Normally again that response is – I trust our guy to take care of those things for us since cyber-security is his thing.I am here to tell you – if you are just trusting your guy to take care of your cyber-security with no involvement from you and your staff, you are 100% dead wrong!I know that’s a strong statement, but it is unbelievable true.The truth is cyber-security is a SHARED responsibility an no matter how good of a I.T. person you have, they cannot protect you without your involvement.

Now that we have ruffled your feathers a bit, lets dive a little deeper.In days past, you could just rely on your I.T. guy to install your anti-virus, keep the definitions updated, and setup a firewall and that was sufficient to be protected. Those days are long gone.With the threat vectors that are present today it is almost guaranteed that your staff and employees are seeing very crafty and serious threats daily if not hourly in their normal day to day tasks.To protect yourself today, a multitude of security measures need to be put into place and you need to be involved in quite a few of them.

So What Do You Need To Do To Protect Yourself and Your Organization?

First and foremost let’s get this out in the open and accepted before we go any further – There is no amount of time or money that will COMPLETELY assure that your environment is totally secure and protected.That’s a tough pill to swallow for most folks.They want a clean, easy, assurance that there is nothing to worry about.Sorry but you need to worry and again – you need to be involved.

Having said that, lets look at what you should have to BEST protect your organization from ransomware, data breaches, and other cyber-security risks.

·Antivirus software– Yes even though antivirus software is not as effective as it used to be, you still need to have up to date antivirus software installed on all computers(even Macs).But to take a full fledged approach to security you need to utilize a next generation antivirus software that no longer relies on a static list of definitions or signatures to base what can or can’t be done.With a next generation antivirus it bases it’s decision making on activity in addition to a static list.So it looks at what processes are run and how often and by what applications, how quickly there are files being changed, and how often there are unusual indicators.Really good next generation anti-virus solutions actually go one step further and talk to the firewall to make sure that if it detects any of the unusual activity it can shut that down to the rest of the network to limit further cyber-security risks and block any malicious outside servers that could be doing command and control operations. If you are curious as to how Ransomware is spread and how anti-virus software is tied in – This is a good resource.

·Firewall– The firewall in your network acts to create a barrier from the big bad wild Internet to your inside protected network.In the past this was based again on a static set of rules that get defined when the firewall is installed.The problem with this is that as new threats come out, in quite a few instances the rules are not updated to address new threats.So to better protect your network from bad guys coming from the Internet you want a firewall that is adaptive and updated automatically to address new threats.The best firewalls will also provide that communication that we discussed above in the antivirus solution and be able to communicate with the endpoints being protected by antivirus.These advanced firewalls also are aware of unusual activity and can monitor for any traffic coming in that has malicious attachments, malicious connections, and adapt to changes in the sources of threats automatically.Finally these firewalls also get security updates from a central source on an automatic and scheduled basis.

·Backups – EVERY organization needs to have a comprehensive approach to backing up their data and monitoring that process.This means that you need to be involved in the process of making sure ALL of your data is being included in your backup sets as well as making sure that you keep an appropriate set of versions of this data.Depending on the size and type of data you are backing up as well as the connection you have to the Internet, the approach may include multiple components.There are two general types of backup – local backups, and Cloud backups.A local backup is one that backs up the data to a locally connected device on your network.This could be something as simple as a USB drive or as complex as a Storage Area Network that can hold Terabytes of information.A Cloud backup is one that backs up the data to an offsite, Cloud hosted storage target.This could be as simple as backing up to a dropbox or Google Drive location or as complex as a fail-over Amazon or Azure datacenter.There are also 2 sub-types of backups, file level backups, and image level backup.File level backups just create backup copies of individual files.These backups depend on an operational server and operating system to be able to restore from them.Image level backups include all files including the operating system and backs it up as an “image of the entire server”What this means is that you can restore your entire server at once to a point in time.Additionally depending on what solution you are using for the image backup, you may also be able to boot the image of the server up on the backup device so that if you lose the physical server hardware due to failure, or natural disaster, you can run the server at least temporarily on the backup appliance until new hardware is obtained.Regardless of what approach you chose – YOU have to be involved in the process.You can no longer just trust your I.T. person or partner to make these decisions in a vacuum.In addition this information should be reviewed at least quarterly if not monthly to make sure that any new items or changes are being included.One of the most common mistakes when it comes to backups is setting up the backup software and never revisiting what is being backed only to find out when an emergency occurs that new software has been added but never included in the backup set.

·Good Password Policies– Yes… everyone hates passwords.However until we get to a point where biometrics can secure everything in the technology world, we are going to have to deal with passwords.You as the manager or owner of your organization are the driver of this critical area of security.I.T. managers and partners can implement the policy, but you have to dictate and direct the policy to your staff, employees, and partners.All too often we see managers and owners of organizations as the main roadblock to implementing strong password policies and management.Instead, you need to help set the tone for your organization that password complexity and security are crucial to the livelihood of your organization.This means that you should be implementing complex passwords that require a mixture of upper and lower case letters, special characters, and numbers.In addition you should require that passwords not be the same as what employees utilize for common cloud based applications and sites.Using a password manager software can help you implement complex passwords and ensure that passwords are not being reused.If it helps to motivate you – 80% of cyber-security breaches today are due to reusing the same passwords across multiple sites and not utilizing hard to guess passwords.If you want to truly decrease your password vulnerability – you should also implement multi-factor authentication that requires you to enter a time based code in addition to your normal username and password.All of these items are ones that you as an owner or manager must take charge of and set the tone for your organization.

·End-user training – If you were to poll your staff, it would be a safe bet that they are getting multiple malicious emails trying to phish for information like credit card numbers, passwords or links to get you to go to a malicious site that could spread ransomware or other malicious software.You as the leader of your organization need to also set the tone and establish the policy to implement ongoing monthly and/or weekly training for your staff on techniques to recognize fake and malicious emails, and websites.End-user security awareness training can produce an average reduction of up to 95% of people clicking on bad software or sites. We have an entire post dedicated to End-User Security Awareness Training.

·Security auditing and testing – at least quarterly if not monthly you should have your I.T. person or a cyber-security contractor audit your environment as well as test to see what vulnerabilities can be found before the bad guys do.Many organizations ignore this because they feel that if cyber-security vulnerabilities are found, as they inevitably will – it will mean large expenditures to the organization.The fact is, it will be much more expensive if the bad guys find it before you do.

·Monitoring – you should have some process in place to continually monitor your cyber-security for your environment.This monitoring and alerting should be tuned to provide relevant and applicable information that can be acted upon.In many cases, the thresholds for these solutions is set too low and too many alerts are issued and the end result is that they get ignored.The opposite is true if the threshold is too high.If the alerting doesn’t happen until it is too late, it provides no value as well.

·Security mindset and culture – this one is big because it drives all the rest of the items.If management and ownership establishes a culture in making sure security is a top priority across all areas of operations, it makes the approach to cyber-security much easier.This starts with having process and policy in place that has specificity in regards to security.This extends to physical security as well.By making sure that access to all data and network operations are secured and tracked, it lays the foundation to build logical security upon.

While cyber-security a pain and is a dry topic to cover, it is imperative in today’s vulnerable data environments to implement fully and properly.In most cases, it will mean adding new process, policy and procedure, and in many cases new toolsets and software to your operations.It is going to cost you more than what you are paying today in any scenario.However – by proactively taking a part in your cyber-security, you get to control those costs.Conversely if you leave it to chance or assume that you do not have anything to worry about because your I.T. person says so and you get a ransomware infection with no plan for recovery, you could be out thousands if not hundreds of thousands of dollars to get back to operational status.If you feel that you are completely secured or if your are relying solely on your I.T. person or company to protect you without any involvement on your part – we challenge you to put that to the test.Have DaZZee or any other reputable managed security services provider audit your environment and process.It is almost guaranteed that there will be vulnerabilities that you are not currently aware of if you have not been involved hands-on with security for your organization!

]]>1237Managed I.T. Services Pricinghttps://dazzee.com/managed-i-t-services-pricing/?utm_source=rss&utm_medium=rss&utm_campaign=managed-i-t-services-pricing Thu, 18 Apr 2019 00:16:07 +0000http://bqfot.hosts.cx/managed-i-t-services-pricing/When it comes to I.T. Services and Managed I.T. Services pricing, the reality is that pricing can be all over the board depending on who you talk to. More and more companies are starting to offer some sort of “managed technical services” or “managed I.T.”. Some of these organizations are those that have grown up […]

When it comes to I.T. Services and Managed I.T. Services pricing, the reality is that pricing can be all over the board depending on who you talk to. More and more companies are starting to offer some sort of “managed technical services” or “managed I.T.”. Some of these organizations are those that have grown up in the I.T. industry doing project based work, engineering, and integrations. Others are branching out into I.T. from their main line of business. We have seen copier companies, accounting firms, cable contractors, PC manufacturers, and even big box stores now offering managed services. Unfortunately trying to make sense of all the differences can be overwhelming and oftentimes leads decisions being made only to find out after the fact that it doesn’t include everything that was intended or has unexpected costs after the contracts are signed. So how do you know and how do you evaluate the plethora of companies crowding into the marketplace today?

]]>574Windows 7 Support Is Ending and Why You Need to Plan Nowhttps://dazzee.com/windows-7-support-is-ending-and-why-you-need-to-plan-now/?utm_source=rss&utm_medium=rss&utm_campaign=windows-7-support-is-ending-and-why-you-need-to-plan-now Wed, 27 Mar 2019 05:36:15 +0000http://bqfot.hosts.cx/windows-7-support-is-ending-and-why-you-need-to-plan-now/Good ole trusty Windows 7, for most of us was a welcome improvement for Microsoft and the unstable and problematic operating systems prior to it’s release. Sure it took a little adjustment to get used to the changes, but once we all knew where to find things, Windows 7 was a great improvement for Microsoft. […]

Good ole trusty Windows 7, for most of us was a welcome improvement for Microsoft and the unstable and problematic operating systems prior to it’s release. Sure it took a little adjustment to get used to the changes, but once we all knew where to find things, Windows 7 was a great improvement for Microsoft. But with all good things, they must inevitably come to an end to make room for bigger and better things. So in January of 2020, Microsoft will officially stop supporting Windows 7 after almost a decade. The End of Support also includes Windows Server 2008 but for most business users, it takes a seat waaay in the back compared to Windows 7.

]]>575Here’s Why Your Part-time I.T. Person Is Not Going To Cut Ithttps://dazzee.com/heres-why-your-part-time-i-t-person-is-not-going-to-cut-it/?utm_source=rss&utm_medium=rss&utm_campaign=heres-why-your-part-time-i-t-person-is-not-going-to-cut-it Mon, 18 Mar 2019 18:50:37 +0000http://bqfot.hosts.cx/heres-why-your-part-time-i-t-person-is-not-going-to-cut-it/We meet with organizations every week that tell us they have a “part-time” person that takes care of their I.T. and technology needs and that they feel like they do a decent job. What they normally mean by this, after asking a few more questions is they have a person that is tasked with maintaining […]

]]>We meet with organizations every week that tell us they have a “part-time” person that takes care of their I.T. and technology needs and that they feel like they do a decent job. What they normally mean by this, after asking a few more questions is they have a person that is tasked with maintaining their technology because they have a technical inclination but they also have other job responsibilities as well. Further-more, what the mean by “they do a decent job” is that they keep things up and running for the most part and deal with all the questions and problems that relate to I.T. As we start to ask some more detailed questions about their operations, it becomes clear there is a big misconception about what it means to fully cover I.T. needs and an even bigger misconception about what it means to do a decent job with this.

I’m here to tell you once and for all, – If you have more than a couple of employees that use technology and you only have someone looking after I.T. needs part time….. not only are they not able to do a decent job, but your organization is at SERIOUS risk.

Now that I have you on the defensive, let’s back up and understand what is really required for I.T. and technology management for any organization with more than just a few users.

What most organizations do when it comes to I.T. management

End-user support – Ok this is probably what everyone thinks of when asked about how they manage I.T. today. Obviously you have to provide some sort of support for technology problems and issues. Most of the time this is the one area that organizations will say they are OK at. This boils down to that if they have a person taking care of technical support, most likely they are at least agreeable enough to keep in that position and can communicate effectively. This is at the basic level what most organizations have come to associate I.T. with and unfortunately is where a lot of organizations stop when it comes to I.T. responsibilities. The majority of the time as well, there is no accountability or tracking of how many issues are occurring across the entire organization. So the end result is that when asked how often there are issues, the person responding typically can only speak the issues they personally have. The challenge here is that if the person responding only have 1-2 I.T. issues a week but there are 20 employees, that could actually equate to 40 issues a week across the entire organization.

Maintenance of I.T. related equipment and infrastructure – It’s a toss up on how much focus organizations put towards maintenance of technology equipment and infrastructure. At best most organizations just make sure the operating systems are patched on a semi regular basis and kept up to date.

Security – Arguably one of the biggest issues every organization now faces when it comes to I.T. and technology as a whole. What we find is that when there is a part-time or even full-time I.T. person that is tasked with trying to stay on top of security, the majority of organizations only really do a few things consistently;

Antivirus – 10 years ago, getting everyone to buy-in to the necessity of antivirus software was the biggest challenge for most organizations. Unfortunately a large majority only rely on antivirus as their approach to security and even with that, there is no consistency in strategy, software, updates, policies and enforcement.

Firewall – It is rare(but it still happens) to find an organization today that does not utilize a firewall to protect their internal network from the internet. However what we find quite often is that an inappropriate firewall is in place, meaning one that is meant for home-use or does not provide advanced firewall features needed to protect against today’s security vulnerabilities. Additionally most organizations do not apply any type of updates to their firewall on any type of scheduled or regular basis which means a large number of vulnerabilities could be getting through.

Here is what organizations need to be doing with I.T. and why a part-time person simply can’t keep up with it.

End-user support – Instead of simply being a firefighter so to speak when it comes to end-user support, the I.T. contact needs to be focusing on how to reduce the support issues in the first place. They need to analyzing what issues are occurring and how to ensure they don’t occur again… not just band-aid it for now. Additionally they need to tracking the number of issues and how much time it is taking away from the employee base. There is no way to gauge the effectiveness of I.T. without this.

Maintenance of I.T. related equipment and infrastructure – maintenance of the technology infrastructure goes way beyond updating the operating system and applying patches. That stuff can and should be automated. Maintenance should include a scheduled audit of the equipment, software, and infrastructure. Once that is completed, there should be a schedule of tasks that need to be completed on a weekly, monthly, and quarterly basis. These tasks include reviews of configurations, utilizations, any errors in the logs etc. Additionally battery backup units need to analyzed for loading and tested to ensure proper run-time and failover.

Security –

Antivirus – While antivirus software and a firewall are a start to security, there are many additional items that need to be included and applied. First of all antivirus software needs to be more than just the old-fashioned variety that relies on a static list of definitions. Newer antivirus software can analyze behavior and in some instances can leverage artificial intelligence to predict what may be happening and take action. But the antivirus software has to be actively managed and be consistent which requires a scheduled and intentional approach.

Firewall – Again this is another area where the old approach of buying a firewall, configuring it during install and not touching it again until it is time to replace it will be ineffective in today’s riskier environment. A modern firewall will be one that actively adapts to threats on a daily basis. This means it needs to be a more advanced(and most times a little more costly) solution. It needs to be actively managed as well, meaning is it being updated on a weekly basis, is it being monitored for alerts, does it have automation setup to handle threats as they occur and does it also talk to the endpoint protection(antivirus software) so that it knows when there is a issue occurring on the inside of the network.

End-user training – The biggest security threat to any organization is their internal users. In fact over 95% of ransomware is spread by users internal to the organization. Without ongoing and consistent training, end-users cannot recognize obvious indicators of threats and inevitably will click on, visit, or act on the mechanism designed to do the damage.

Security Policies and Procedure – Second to end-user training, the next biggest threat is poor security policy and procedure. Most users use the same password across multiple sites and platforms. If there is not a formalized way to regularly rotate passwords, enforce complexity, and ideally utilize more advanced security approaches like multi-factor authentication, organizations are at a huge risk of being compromised by valid and legitimate user credentials. All Cloud based services and applications(especially Office 365) should also be included in this to insure proper security is enabled.

Auditing – At least on a monthly basis there should be an audit of the environment. This involves scanning the internal network for vulnerabilities, scanning the firewall externally for vulnerabilities and open ports, and reviewing security logs for any anomalies and/or security events. If your organization takes credit card payments, or is subject to HIPAA regulations you should be conducting specific audits for those areas as well.

Monitoring – Once all security measures are in place and are regularly reviewed and updated, the next step is that there needs to be an actively practice of monitoring all elements. What this means is there needs to be a process to monitor all security devices, services, and components for potential security events on active basis. This needs to be consistent and monitored 24/7/365.

Documentation – While this seems obvious and even mundane, it is extremely rare that we get brought in to a client environment where there is anywhere close to complete documentation. Most organizational owners/managers assume this is being done. However in the event that documentation is needed, if there is a single person that has the keys to the kingdom so to speak, it puts the organization at severe risk if that person leaves under less than ideal circumstances. All too often we see organizations that think they have everything documented completely only to find out when something is down, there is a problem that critical information is not readily available.

Strategy and budgeting – 20 years ago when I got started in this industry it was an accepted practice that the I.T department was a questionable necessity and there certainly wasn’t a focus on the I.T. budget other than to plan a base amount each year for replacement when items failed. Today organizations need to think of I.T. as a functional area of the business just like they do for H.R. or Accounting. In order to be competitive, reduce risk and liability, and increase efficiencies, I.T. needs to be involved with the business planning and an associated budget developed to help the organization meet the operational objectives. Organizations that do this effectively will have at a minimum a 2 year forward looking budget as it related to I.T. so there are no surprises and so that I.T. can help a business meet objectives instead of hampering it.

Data Analytics – This is an area that will soon become a necessity to compete in the business climate. While once relegated to large corporate entities, the ability to tap into data inside of their operations to develop Key Performance Indicators(KPIs) and report on and display those in real time is going to become more and more of a necessity. After-all, wouldn’t it be better to be able to make decisions on actual data and do that in near real time?

In Conclusion

Most small businesses and small organizations think they are too small to need a structured focus on technology and I.T. In fact, many of the organizations we meet with tell us that they are “too small to really have any need for I.T.” and thus in many cases tell us that they have someone that takes care of the I.T. needs as just part of their other job responsibilities. As you can see from the list above, the needs to cover from and I.T. perspective have grown exponentially over the past few years and it is only going to get worse as security threats become more common and more impactful to operations. Even larger organizations that have multiple dedicated I.T. staff are having trouble keeping up with all the demands to secure I.T. and increase efficiency. So it is highly unlikely that a part-time person can effectively handle I.T. needs even in the best of circumstances.

Organizations that do not take this seriously are at the biggest risk of data loss, security breach, and operations to be impacted negatively. In fact it is not out of the question to say that unless there is a dedicated approach to addressing these concerns there is a very high likelihood that it is not a matter of IF an issue is going to occur, but a matter of WHEN and HOW BAD WILL IT BE?

]]>576Why You Need To Implement End-User Security Awareness Traininghttps://dazzee.com/why-you-need-to-implement-end-user-security-awareness-training/?utm_source=rss&utm_medium=rss&utm_campaign=why-you-need-to-implement-end-user-security-awareness-training Wed, 13 Feb 2019 21:59:52 +0000http://bqfot.hosts.cx/why-you-need-to-implement-end-user-security-awareness-training/It wasn’t that long ago that end-user training was only relegated to new line of business applications or major software additions for most organizations. In today’s business environment, you really need to think of end-user training as a constant ongoing process especially when it comes to security awareness. The #1 security risk to any organization today […]

It wasn’t that long ago that end-user training was only relegated to new line of business applications or major software additions for most organizations. In today’s business environment, you really need to think of end-user training as a constant ongoing process especially when it comes to security awareness. The #1 security risk to any organization today is their own internal employees and if you don’t take control of it, it will most definitely come back to bite you.

First and foremost, lets take a look at what end-user security awareness training really is… I mean do you really need training for your end-users to know that security is important? When we ask most prospective clients if they have any process around end-user security awareness training, most of the time we get a sheepish response of … “Well we let everyone know that they should have a strong password and they shouldn’t share that with anyone”. In some of the more prudent environments we may even hear…”Yeah, we have a formal security policy that they have to read and agree to”. Unfortunately neither of these answers are sufficient in order to protect your organization against the threats being lodged against your operations right now and every day going forward!

End-user security awareness training is a mindset and ultimately a culture change that has to occur across the entire environment and across all employees to truly be effective. It simply can’t be something that your team sits through once a year to really get any benefit from.

Keys to Effective End-User Security Awareness Training

Relevant Training – Probably most importantly of all, the end-user security awareness training needs to be relevant. The threat landscape changes daily, so if the content of the training is not updated at least monthly, the value of what is going to be presented is very limited.

Engaging Training – All too many times organizations make their end-users either read a policy in their handbook that hasn’t been updated in 5 years, or they have them watch a video training that the end-users simply start playing in the background and continue working or go to lunch. In order for the training to be effective, it needs to be engaging and interactive. Security is a dry subject so it is not always as easy as it sounds to accomplish this. Part of the training should require the end-users to answer questions to test their knowledge and understanding of each section throughout the entire training. This ensures that the information being presented is being absorbed and understood. Additionally the training should include real-world examples. All too often security training just focuses on the technical aspects that are not relatable to the average user.

Concise Training – Another mistake to avoid is having the training be too lengthy. Again, because security can be a dry topic – avoid any loss of focus by utilizing short training sessions of 20-30 minutes max. Anything longer will lose the audience’s attention and undermine the success.

Scheduled Training – As mentioned previously, training should be conducted monthly to get the most benefit. To expand upon that a bit, it should also be something that is automatically scheduled. All organizations are built to produce a product or service and security training is probably not one of those deliverables for 99 percent of organizations. So what inevitably happens is that most organizations start with good intentions but work gets in the way and subsequent training gets put off or never implemented.

Real World Testing – Training without testing is only half the battle. To truly be effective with end-user security awareness training, you need to also test in a real world scenario to see how your end-users fare when it comes to the malicious intents. The most common testing method is to send test emails that look like legitimate emails from common vendors, partners, and organizations. If you are a manufacturing or construction focused organization, that might be an email that looks to be from OSHA asking the recipient to click on a link to get the latest regulatory updates. Or if you are in the retail market, it may be an email that appears to be your last PCI compliance report and has a file attached to it. The key here is that it needs to look like a normal email that your team might actually receive. Once you have a relevant email to utilize, then you want to be able to report on how many of your end-users actually clicked on, or did what the email asked them to do. Now while these links or files are not actually malicious since they are sent from you, it does give you an indication of how susceptible your staff members really are. From those results you can assign additional training to those users who click on, downloaded, or visited the sites to help them understand how to recognize these in the future and avoid a real threat.

Tracking Results – Once you have the ability to test and see which employees do well and which ones do not, the next step is to make sure you have the ability to track over time how each of these groups improve or decline in their ability to thwart the risks. If you have employees that do not improve over time, the training may not be suitable, or you may need a better environment for them to train in, or schedule it during another time in which they can focus more. Without the ability to track, you may or may not be getting the results you need out of the security initiative.

Policy Enforcement – In tandem with end-user security awareness training you also must have training around what your organizational policies are and how they are to be followed. In a recent survey only 27% of organizations actually had a written information security policy in place. It is imperative that you train your staff and employees on what is expected of them specific to your organizations policies. This also ensures that in the event of any legal actions that you have proper documentation of the policy outlined and agreed upon. Once the policy is developed and in place, then you need to actively track who has read and accepted the terms of this. This is one more opportunity to utilize a security platform to track and maintain these records. Many end-user security awareness training platforms have the ability to keep these policies online and track which employees have and have not accepted them.

If you need assistance to get started with this – reach out to your trusted I.T. partner or let DaZZee know if you would like our help! This is a minimal investment to generate a sizable return in reduction of overall security risk and liability.

If you are a business with at least 15 users in the Southwest Missouri or Northwest Arkansas Market – You can get FREE access to DaZZee’s online End-User Security Awareness Training.

Just Sign Up Below To Get Free Access

]]>577Top 15 Disaster Recovery Steps To Avoid Disastrous Data Losshttps://dazzee.com/top-15-disaster-recovery-steps-to-avoid-disastrous-data-loss/?utm_source=rss&utm_medium=rss&utm_campaign=top-15-disaster-recovery-steps-to-avoid-disastrous-data-loss Tue, 20 Nov 2018 03:00:40 +0000http://bqfot.hosts.cx/top-15-disaster-recovery-steps-to-avoid-disastrous-data-loss/When it comes to disaster recovery and business continuity planning, the most common area of concern is either ransomware or fire/natural disaster type events. That’s understandable because that’s where most of the marketing and hype is targeted towards when it comes to disaster recovery. One of the main reasons for this is that ransomware is […]

]]>When it comes to disaster recovery and business continuity planning, the most common area of concern is either ransomware or fire/natural disaster type events. That’s understandable because that’s where most of the marketing and hype is targeted towards when it comes to disaster recovery. One of the main reasons for this is that ransomware is getting trickier and more clever in the means in which it is distributed and therefore more concerning. However, it might surprise you that ransomware and natural disaster type events combined only account for roughly 10% of the data loss incidents as a whole.

So whats the other 90%? Well, hardware failure and user errors account for 76% of all data loss according to Unitrends. Think about that for a moment. How often do you see an advertisement for avoiding hardware failure or training your end-users? Compare that with how often you hear or see something about the dangers of ransomware.

The truth of the matter is, that the two leading causes of data loss just aren’t that exciting or motivating. Ransomware is much scarier and most feel less in control when it comes to avoiding issues with it. Don’t get me wrong, ransomware is a serious threat and you absolutely should have a plan to protect your organization it against it. You just also need to worry about protecting yourself from data loss from hardware failure and user errors just as much if not more so.

So How Do I Protect My Data?

Let’s look at each segment of the data loss pie chart independently. The single largest risk to your organization is

Hardware Failure

The following is a checklist of items you can do immediately to protect against data loss from a hardware failure;

Complete hardware inventory and assessment of age. – While this seems like common sense, most organizations don’t even have a list of all their hardware and when it was purchased. When asked, most of the organizations we speak with say they believe their computers and servers are fairly new. However the average age of the systems when we inspect them are a little over 4 years old. That’s important because best practices dictate that personal computers and laptops be replaced every 5 years at most. Servers and network equipment should be replaced every 3-5 years.

Monitor systems for indicators of trouble. In just about every hardware failure there are indicators that lead up to the eventual failure if you know what to look for and are actively monitoring for those. There are multiple software options that make this an automatic and easy process to monitor for even if you don’t contract with a managed services provider. We have previously published a guide to those – Click Here For That Post.

Have an emergency plan. Ultimately we want to avoid a hardware failure but you need to have a plan if it happens unexpectedly. Even brand new hardware can have failures, so having a plan to work through it is critical. Having advanced hardware replacement services is a great option at a reasonable expense. Most vendors will offer some form of this. They all call it something different but the service it typically very similar. For a yearly charge, they promise to have replacement hardware onsite and in some cases installed by their techs within a matter of hours. That can be as little as 2 hours or up to next business day.

Back it up, back it up, back it up! It seems obvious and when asked most business owners and managers will say they have backups. However upon closer inspection, it is rare that all critical data that that owners and managers think is being backed actually is being backed up. People always have their own files that they store locally and assume it is protected. There are always inevitable changes to databases, file storage, or applications added that will leave data unprotected. The key to avoiding this is to make sure this is reviewed regularly! By regularly, I mean – MONTHLY. You should be auditing what is being backed up from where and what the retention policies are for everything.

User Error

Outside of hardware failure, user error is the second leading cause of data loss. Bet you didn’t factor that in when thinking about your biggest threats to your data integrity did you? Here are some common scenarios that involve user error and steps you can use to avoid them;

Accidental deletion of files Over 85% of our data recovery requests come from users that have accidentally either deleted a file or overwritten a file inadvertently. It’s easy to do if you are in a hurry and not paying attention to which files or folders you are modifying. The best way to avoid issues from this goes back to what I mentioned earlier – backups! Making sure that you are saving files and documents in a folder that has some type of backup and retention is critical. Not only do you need to make sure it is backed up, but you also need to make sure you have the ability to have more than one revision. In many instances, files are deleted or overwritten before the user even realizes they are doing it and you need the ability to have multiple revisions to go back to. This will save your bacon!

Inappropriate Versions of Applications I get it, it’s easy to use personal versions of software because we want to try them out initially without committing to a purchase. The problem is if you end up 3 months down the road or more still using a personal version of Box or OneDrive and have a lot of data being stored. You compound the issue further if you have multiple users in the organization sharing the same personal version of these applications. One user can inadvertently or purposely delete or overwrite all of the data and with the personal versions of the software you almost certainly are going to be limited on what backup or revisions are available(as well as support from the vendor). Rule of thumb – don’t use personal versions of software with multiple users!

End User Security Awareness Training This one will apply to multiple categories. However very few businesses actually invest in training their end users on the best practices within their environments. This includes what applications should be used, how those applications are used, where data should be stored, how it should be stored, and what they should and should not be using when it comes to Cloud and other apps. Best practices dictate that you should at least annually conduct a formal training with your staff on these topics. Ideally you are conducting this type of training on a monthly basis to help your staff identify the latest threats and how to recognize them.

Software Failures

Fortunately software failures are not common in today’s environments. However, in order to make sure you are protected as best as possible follow these guidelines when it comes to software and protecting your data.

Once again – Back It Up Notice a common theme going on here? I can’t stress enough that in order to avoid just about all of these issues – a solid reliable and predictable backup is essential.

Be Cautious When Upgrading We all want to have the latest and greatest and especially when it allows your software to have more security or bug fixes. However, you need to be cautious and fully understand what changes will occur when you upgrade versions. I see all too often organizations that upgrade versions of software only to find that during the upgrade process that the upgrade of the database has problems or changes the way it interacts. Have a detailed conversation with your software vendors to discuss how the upgrades affect the actual data the applications use. Then get a scope of work in writing from the vendor that details what will be changed and what to expect as well as what their guarantee is on the upgrade process. This may seem like overkill, but by doing so it can ensure that if there are problems after the upgrade process that you can push back on the software vendor to fix those issues. Finally…. revert back to step one on this list. NEVER and I mean NEVER perform a software upgrade on your line of business applications without first making sure you have a good backup to revert to if there are issues. Sometimes upgrades completely change the structure of the application and libraries it uses. If that is the case, you also want to make sure you have a full system(image) level backup that you can revert to.

Use The Correct Versions of Software Again this may seem like common sense but I have seen multiple organizations try to cut costs and use the “free” or home user versions of software. Not only does this most likely violate the user license from the vendor, but it also puts you at risk of data loss. In the event your application fails or has a data loss or damage, you will be very limited in what support you may receive from the software vendor if you are using the free version or if you are using the home-user version. Additionally – make sure you get a multi-user licensed version of the software if you are allowing multiple users to access the software. I have seen organizations lose years worth of data by sharing one login across all of their user-base instead of purchasing the multi-user versions. Not only does this ensure you are not violating the license agreement but it allows you to create permissions and ensure that one user does not delete all of the data(purposely or inadvertently).

Viruses and Malware

This is the area that most businesses tend to think of when it comes to protecting their data. While only accounting fo 7% of the overall data loss issues, it is one that strikes fear in most business owners as well as I.T. Managers. The challenges around mitigating this risk is constantly changing and is not one that is going to go away any time soon. However, making sure you have a strategy to deal with it when it happens(notice I did not say IF), is crucial to ensure your operations get back to normal as quickly as possible.

Backups I think you may have heard this one before… but you need to have solid and reliable backups! If you want to have any chance of recovering from a virus, malware, or particularly a ransomware attack, you must have backups that you can revert to. The biggest key to backups(not just in this scenario but all of them) is that you have to test your backups regularly(read this as – at least monthly) to make sure you can actually restore your data from a backup. In addition you need to be monitoring daily what is backed up and what errors or issues may crop up because inevitably even with the best backup solutions out there, there are occasional failures.

Defense in Depth This is not a new concept but you should never allow your security approach to be single minded. So what do we mean by this? Well you should have multiple layers of security that provide the following;

Anti-virus software – yes you still need AV software and no… there is no AV software that is 100% effective. The software manufacturers do their best to stay up to date but with 0 day vulnerabilities it leaves a hole that unfortunately can’t always be stopped. However – more and more antivirus vendors are now offering behavioral based solutions that don’t just rely on a static list of definitions. These solutions analyze what is going on inside your system to predict what is questionable and stop it. In these scenarios it can look at the rate of file changes in the system compared to normal activity and decide whether or not malicious software is making changes to files and actually encrypting them.

DNS Filtering – By using a service that automatically filters where content is coming from and analyzes if it is a reliable source, you can add just another layer that helps catch those fake sites that allow malicious activity.

Operating System Maintenance – Keeping your operating system up to date is crucial to ensuring that you limit your exposure to vulnerabilities. Additionally you should be auditing permissions on your operating system to make sure that you do not leave unintended permissions that allow system level changes.

Scheduled Password Rotations – I get it, it’s a lot easier to reuse the same passwords for multiple sites, software, and access. However it is one of the biggest security risks we see on a daily basis. Passwords should be complex in nature(uppercase, lowercase, numbers, and special characters and at least 8 characters long), they should be rotated every 90 days at a minimum, and your screens should lock automatically after a maximum of 15 minutes of inactivity.

End-User Security Awareness Training – This once again crosses back over to the user error category. If you are conducting ongoing monthly training on how to recognize malicious emails, and phishing attempts, you will limit the exposure you have to having ransomware or malware.

Natural Disaster

Finally coming in at just 3% of the overall data loss instances is natural disasters such as fires, floods, tornados and even power outages. When people mention business continuity and disaster recovery, chances are these are some of the immediate images that come to mind. But in reality these are a very small percentage of actual risks that you may have to deal with. Nonetheless, here are some key items to help make sure you keep your data safe in the event of a natural disaster;

Utilize Cloud Based Image Level Backups – as part of your ongoing backup and disaster recovery, you may want to consider using a Cloud based image level backup. These are not cheap, but however, they do provide you the ultimate in resiliency by allowing you to boot up critical servers on Cloud based infrastructure in the event that you lose your building or data infrastructure. This could be a lifesaver for your business in these circumstances.

In Conclusion

While most people think that ransomware is one of the biggest threats to their business, the data suggests a more ominous tale. The good news is that for the most part you can control your exposure to what puts you at the biggest risks to data loss. By making absolutely certain you have TESTED and reliable backups, predicting and planning your equipment replacement, and making sure that you keep your end-users trained and up to speed you can give yourself the best chances of keeping operations ongoing and unaffected.

The first step in all of this is to make sure you fairly and truthfully analyze where you are at in this whole process. Burying your head in the sand and hoping that these things are taken care of is one of the biggest reasons organizations end up losing data.